Affected kernels 2.6.36 - 3.0

AppArmor may do a GFP_KERNEL memory allocation with task_lock(tsk->group_leader);
held when called from security_task_setrlimit.  This will only occur when the
task's current policy has been replaced, and the task's creds have not been
updated before entering the LSM security_task_setrlimit() hook.

BUG: sleeping function called from invalid context at mm/slub.c:847
 in_atomic(): 1, irqs_disabled(): 0, pid: 1583, name: cupsd
 2 locks held by cupsd/1583:
  #0:  (tasklist_lock){.+.+.+}, at: [<ffffffff8104dafa>] do_prlimit+0x61/0x189
  #1:  (&(&p->alloc_lock)->rlock){+.+.+.}, at: [<ffffffff8104db2d>]
do_prlimit+0x94/0x189
 Pid: 1583, comm: cupsd Not tainted 3.0.0-rc2-git1 #7
 Call Trace:
  [<ffffffff8102ebf2>] __might_sleep+0x10d/0x112
  [<ffffffff810e6f46>] slab_pre_alloc_hook.isra.49+0x2d/0x33
  [<ffffffff810e7bc4>] kmem_cache_alloc+0x22/0x132
  [<ffffffff8105b6e6>] prepare_creds+0x35/0xe4
  [<ffffffff811c0675>] aa_replace_current_profile+0x35/0xb2
  [<ffffffff811c4d2d>] aa_current_profile+0x45/0x4c
  [<ffffffff811c4d4d>] apparmor_task_setrlimit+0x19/0x3a
  [<ffffffff811beaa5>] security_task_setrlimit+0x11/0x13
  [<ffffffff8104db6b>] do_prlimit+0xd2/0x189
  [<ffffffff8104dea9>] sys_setrlimit+0x3b/0x48
  [<ffffffff814062bb>] system_call_fastpath+0x16/0x1b
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reported-by: Miles Lane <miles.lane@gmail.com>
Cc: stable@kernel.org
Signed-off-by: James Morris <jmorris@namei.org>

* 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6:
  PM / Runtime: Fix loops in pm_runtime_clk_notify()
  PM / Intel IOMMU: Fix init_iommu_pm_ops() for CONFIG_PM unset

This tries to make the 'struct inode' accesses denser in the data cache
by moving a commonly accessed field (i_security) closer to other fields
that are accessed often.

It also makes 'i_state' just an 'unsigned int' rather than 'unsigned
long', since we only use a few bits of that field, and moves it next to
the existing 'i_flags' so that we potentially get better structure
layout (although depending on config options, i_flags may already have
packed in the same word as i_lock, so this improves packing only for the
case of spinlock debugging)

Out 'struct inode' is still way too big, and we should probably move
some other fields around too (the acl fields in particular) for better
data cache access density.  Other fields (like the inode hash) are
likely to be entirely irrelevant under most loads.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

This is a rather hot function that is called with a potentially NULL
"struct common_audit_data" pointer argument.  And in that case it has to
provide and initialize its own dummy common_audit_data structure.

However, all the _common_ cases already pass it a real audit-data
structure, so that uncommon NULL case not only creates a silly run-time
test, more importantly it causes that function to have a big stack frame
for the dummy variable that isn't even used in the common case!

So get rid of that stupid run-time behavior, and make the (few)
functions that currently call with a NULL pointer just call a new helper
function instead (naturally called inode_has_perm_noapd(), since it has
no adp argument).

This makes the run-time test be a static code generation issue instead,
and allows for a much denser stack since none of the common callers need
the dummy structure.  And a denser stack not only means less stack space
usage, it means better cache behavior.  So we have a win-win-win from
this simplification: less code executed, smaller stack footprint, and
better cache behavior.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'usb-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: (28 commits)
  MAINTAINERS: add a maintainer to Gadget Framework
  USB: serial: add another 4N-GALAXY.DE PID to ftdi_sio driver
  Revert "USB: option: add ID for ZTE MF 330"
  drivers/usb/host/ohci-pxa27x.c: add missing clk_put
  USB: CONFIG_USB_GADGET_DUALSPEED is not user-configurable
  USB: dummy-hcd needs the has_tt flag
  usb-storage: redo incorrect reads
  usb/renesas_usbhs: free uep on removal
  usb/s3c-hsudc: fix error path
  usb/pxa25x_udc: cleanup the LUBBOCK err path
  usb/mv_udc_core: fix compile
  usb: gadget: include <linux/prefetch.h> to fix compiling error
  USB: s3c-hsotg: Tone down debugging
  usb: remove bad dput after dentry_unhash
  USB: core: Tolerate protocol stall during hub and port status read
  musb: fix prefetch build failure
  USB: cdc-acm: Adding second ACM channel support for Nokia E7 and C7
  usb-gadget: unlock data->lock mutex on error path in ep_write()
  USB: option Add blacklist for ZTE K3765-Z (19d2:2002)
  option: add Prolink PH300 modem IDs
  ...

I'll be continuing the amazing work Dave has
done with the Gadget Framework.
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

* 'spi/merge' of git://git.secretlab.ca/git/linux-2.6:
  spi/rtc-m41t93: Use spi_get_drvdata() for SPI devices
  spi/omap2: fix uninitialized variable

* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
  cifs: trivial: add space in fsc error message
  cifs: silence printk when establishing first session on socket
  CIFS ACL support needs CONFIG_KEYS, so depend on it
  possible memory corruption in cifs_parse_mount_options()
  cifs: make CIFS depend on CRYPTO_ECB
  cifs: fix the kernel release version in the default security warning message

This is needed to get the following MAINTAINERS patch to apply properly.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

E.g. newer CAN 2.0 A/B <=> USB 2.0 converters report idProduct=f3c2.
Signed-off-by: Steffen Sledz <sledz@dresearch-fe.de>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

One new offender detected by the recently increased type checking in
platform_get_drvdata():

drivers/rtc/rtc-m41t93.c: In function ‘m41t93_remove’:
drivers/rtc/rtc-m41t93.c:192: warning: passing argument 1 of ‘platform_get_drvdata’ from incompatible pointer type

Use spi_get_drvdata() instead of platform_get_drvdata(), cfr. commit
42fea15d ("spi/rtc-{ds1390,ds3234,m41t94}:
Use spi_get_drvdata() for SPI devices")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>

* 'stable/bug.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xen: off by one errors in multicalls.c
  xen: use the trigger info we already have to choose the irq handler

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>

Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  perf: Fix comments in include/linux/perf_event.h
  perf: Comment /proc/sys/kernel/perf_event_paranoid to be part of user ABI
  perf python: Fix argument name list of read_on_cpu()
  perf evlist: Don't die if sample_{id_all|type} is invalid
  perf python: Use exception to propagate errors
  perf evlist: Remove dependency on debug routines
  perf, cgroups: Fix up for new API

* 'gpio/merge' of git://git.secretlab.ca/git/linux-2.6:
  gpio/samsung: make Kconfig options def_bool
  gpio/exynos4: Fix incorrect mapping of gpio pull-up macro to register setting
  GPIO: OMAP: add locking around calls to _set_gpio_triggering
  GPIO: OMAP: fix setting IRQWAKEN bits for OMAP4
  GPIO: OMAP: fix section mismatch warnings
  gpio: Fix gpio-exynos4 build fails in mainline

* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6:
  [media] soc_camera: preserve const attribute
  [media] uvc_entity: initialize return value
  [media] media: Fix media device minor registration
  [media] Make nchg variable signed because the code compares this variable against negative values
  [media] omap3isp: fix compiler warning
  [media] v4l: Fix media_entity_to_video_device macro argument name
  [media] ivtv: Internally separate encoder & decoder standard setting
  [media] ivtvfb: Add sanity check to ivtvfb_pan_display()
  [media] ivtvfb: use display information in info not in var for panning
  [media] ivtv: Make two ivtv_msleep_timeout calls uninterruptable
  [media] anysee: return EOPNOTSUPP for unsupported I2C messages
  [media] gspca - ov519: Set the default frame rate to 15 fps
  [media] gspca - stv06xx: Set a lower default value of gain for hdcs sensors
  [media] gspca: Remove coarse_expo_autogain.h
  [media] gspca - ov519: Change the ovfx2 bulk transfer size
  [media] gspca - ov519: Fix a regression for ovfx2 webcams

* 'drm-radeon-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/radeon/kms: disable hdmi audio by default
  drm/radeon/kms: fix for radeon on systems >4GB without hardware iommu
  drm/radeon/kms: set family for use in parser.

Merge branch 'for_3.0/gpio-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-omap-pm into gpio/merge

The flush_to_ldisc() work entry has special logic to notice when it has
seen the original tail of the data queue, and it avoids continuing the
flush if it sees that _original_ tail rather than the current tail.

This logic can trigger in case somebody is constantly adding new data to
the tty while the flushing is active - and the intent is to avoid
excessive CPU usage while flushing the tty, especially as we used to do
this from a softirq context which made it non-preemptible.

However, since we no longer re-arm the work-queue from within itself
(because that causes other trouble: see commit a5660b41 "tty: fix
endless work loop when the buffer fills up"), this just leads to
possible hung tty's (most easily seen in SMP and with a test-program
that floods a pty with data - nobody seems to have reported this for any
real-life situation yet).

And since the workqueue isn't done from timers and softirq's any more,
it's doubtful whether the CPU useage issue is really relevant any more.
So just remove the logic entirely, and see if anybody ever notices.

Alternatively, we might want to re-introduce the "re-arm the work" for
just this case, but then we'd have to re-introduce the delayed work
model or some explicit timer, which really doesn't seem worth it for
this.
Reported-and-tested-by: Guillaume Chazarain <guichaz@gmail.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Felipe Balbi <balbi@ti.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

The current RE'd code causes blank screens and
display problems on a lot of systems.  So disable
it by default for now.  It can still be enabled
by setting the audio parameter to 1.  E.g.:
radeon.audio=1

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=38010
https://bugs.freedesktop.org/show_bug.cgi?id=27731
https://bugs.freedesktop.org/show_bug.cgi?id=35970
https://bugs.freedesktop.org/show_bug.cgi?id=26195
and many other reported problems.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

On my x86_64 system with >4GB of ram and swiotlb instead of
a hardware iommu (because I have a VIA chipset), the call
to pci_set_dma_mask (see below) with 40bits returns an error.

But it seems that the radeon driver is designed to have
need_dma32 = true exactly if pci_set_dma_mask is called
with 32 bits and false if it is called with 40 bits.

I have read somewhere that the default are 32 bits. So if the
call fails I suppose that need_dma32 should be set to true.

And indeed the patch fixes the problem I have had before
and which I had described here:
http://choon.net/forum/read.php?21,106131,115940Acked-by: Alex Deucher <alexdeucher@gmail.com>
cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

Wierdly the kms parser never initialised the family, it wasn't really used
much, but the fmt checker patch started using it and it fell over.
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  genirq: Ensure we locate the passed IRQ in irq_alloc_descs()
  genirq: Fix descriptor init on non-sparse IRQs
  irq: Handle spurios irq detection for threaded irqs
  genirq: Print threaded handler in spurious debug output

Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  x86/amd-iommu: Fix boot crash with hidden PCI devices
  x86/amd-iommu: Use only per-device dma_ops
  x86/amd-iommu: Fix 3 possible endless loops

Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  sched: Fix/clarify set_task_cpu() locking rules
  lockdep: Fix lock_is_held() on recursion
  sched: Fix schedstat.nr_wakeups_migrate
  sched: Fix cross-cpu clock sync on remote wakeups

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/nv40: fall back to paged dma object for the moment
  drm/nouveau: fix leak of gart mm node
  drm/nouveau: fix vram page mapping when crossing page table boundaries
  drm/nv17-nv40: Fix modesetting failure when pitch == 4096px (fdo bug 35901).
  drm/nouveau: don't create accel engine objects when noaccel=1
  drm/nvc0: recognise 0xdX chipsets as NV_C0
  drm/i915: Add a no lvds quirk for the Asus EeeBox PC EB1007
  drm/i915: Share the common force-audio property between connectors
  drm/i915: Remove unused enum "chip_family"
  drm/915: fix relaxed tiling on gen2: tile height
  drm/i915/crt: Explicitly return false if connected to a digital monitor
  drm/i915: Replace ironlake_compute_wm0 with g4x_compute_wm0
  drm/i915: Only print out the actual number of fences for i915_error_state
  drm/i915: s/addr & ~PAGE_MASK/offset_in_page(addr)/
  drm: i915: correct return status in intel_hdmi_mode_valid()
  drm/i915: fix regression after clock gating init split
  drm/i915: fix if statement in ivybridge irq handler

* 'drm-radeon-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/radeon/kms/atom: fix PHY init
  drm/radeon/kms: add missing Evergreen texture formats to the CS parser
  drm/radeon/kms: viewport height has to be even
  drm/radeon/kms: remove duplicate reg from r600 safe regs
  drm/radeon/kms: add support for Llano Fusion APUs
  drm/radeon/kms: add llano pci ids
  drm/radeon/kms: fill in asic struct for llano
  drm/radeon/kms: add family ids for llano APUs
  drm/radeon: fix oops in ttm reserve when pageflipping (v2)
  drm/radeon/kms: clean up the radeon kms Kconfig
  drm/radeon/kms: fix thermal sensor reading on juniper
  drm/radeon/kms: add missing case for cayman thermal sensor
  drm/radeon/kms: add blit support for cayman (v2)
  drm/radeon/kms/blit: workaround some hw issues on evergreen+

Merge branch 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  timers: Consider slack value in mod_timer()
  clockevents: Handle empty cpumask gracefully

* 'kvm-updates/3.0' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: Initialize kvm before registering the mmu notifier
  KVM: x86: use proper port value when checking io instruction permission
  KVM: add missing void __user * cast to access_ok() call

We had to say goodbye when David passed away recently.  David had a
huge impact on our community, both personally in the lives of the
people he worked with, and technically in the design and maintenance
of several subsystems.  He is greatly missed.

He also leaves behind a number of much loved subsystems now orphaned.
This patch updates the MAINTAINERS file for the areas that David was
responsible for and adds an entry for him to the CREDITS file.
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Acked-by: Harry Wei <harryxiyou@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* git://git.kernel.org/pub/scm/linux/kernel/git/hirofumi/fatfs-2.6:
  fat: Fix corrupt inode flags when remove ATTR_SYS flag

_sdata needs to be declared in the linker script now as of commit
a2d063ac ("extable, core_kernel_data(): Make sure all archs define
_sdata")
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

die_if_no_fixup() shouldn't use get_user() as it doesn't call set_fs() to
indicate that it wants to probe a kernel address.  Instead it should use
probe_kernel_read().

This fixes the problem of gdb seeing SIGILL rather than SIGTRAP when hitting
the KGDB special breakpoint upon SysRq+g being seen.  The problem was that
die_if_no_fixup() was failing to read the opcode of the instruction that caused
the exception, and thus not fixing up the exception.

This caused gdb to get a S04 response to the $? request in its remote protocol
rather than S05 - which would then cause it to continue with $C04 rather than
$c in an attempt to pass the signal onto the inferior process.  The kernel,
however, does not support $Cnn, and so objects by returning an E22 response,
indicating an error.  gdb does not expect this and prints:

	warning: Remote failure reply: E22

and then returns to the gdb command prompt unable to continue.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

One of the kernel debugger cacheflush variants escaped proper testing.  Two of
the labels are wrong, being derived from the code that was copied to construct
the variant.

The first label results in the following assembler message:

    AS      arch/mn10300/mm/cache-dbg-flush-by-reg.o
  arch/mn10300/mm/cache-dbg-flush-by-reg.S: Assembler messages:
  arch/mn10300/mm/cache-dbg-flush-by-reg.S:123: Error: symbol `debugger_local_cache_flushinv_no_dcache' is already defined

And the second label results in the following linker message:

  arch/mn10300/mm/built-in.o:(.text+0x1d39): undefined reference to `mn10300_local_icache_inv_range_reg_end'
  arch/mn10300/mm/built-in.o:(.text+0x1d39): relocation truncated to fit: R_MN10300_PCREL16 against undefined symbol `mn10300_local_icache_inv_range_reg_end'

To test this file the following configuration pieces must be set:

	CONFIG_AM34=y
	CONFIG_MN10300_CACHE_WBACK=y
	CONFIG_MN10300_DEBUGGER_CACHE_FLUSH_BY_REG=y
	CONFIG_MN10300_CACHE_MANAGE_BY_REG=y
	CONFIG_AM34_HAS_CACHE_SNOOP=n
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6:
  [S390] fix kvm defines for 31 bit compile
  [S390] use generic RCU page-table freeing code
  [S390] qdio: Split SBAL entry flags
  [S390] kvm-s390: fix stfle facilities numbers >=64
  [S390] kvm-s390: Fix host crash on misbehaving guests

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6: (21 commits)
  ARM: OMAP4: MMC: increase delay for pbias
  arm: omap2plus: move NAND_BLOCK_SIZE out of boards
  omap4: hwmod: Enable the keypad
  omap3: Free Beagle rev gpios when they are read, so others can read them later
  arm: omap3: beagle: Ensure msecure is mux'd to be able to set the RTC
  omap: rx51: Don't power up speaker amplifier at bootup
  omap: rx51: Set regulator V28_A always on
  ARM: OMAP4: MMC: no regulator off during probe for eMMC
  arm: omap2plus: fix ads7846 pendown gpio request
  ARM: OMAP2: Add missing iounmap in omap4430_phy_init
  ARM: omap4: Pass core and wakeup mux tables to omap4_mux_init
  ARM: omap2+: mux: Allow board mux settings to be NULL
  OMAP4: fix return value of omap4_l3_init
  OMAP: iovmm: fix SW flags passed by user
  arch/arm/mach-omap1/dma.c: Invert calls to platform_device_put and platform_device_del
  OMAP2+: mux: fix compilation warnings
  OMAP: SRAM: Fix warning: format '%08lx' expects type 'long unsigned int'
  arm: omap3: cm-t3517: fix section mismatch warning
  OMAP2+: Fix 9 section mismatch(es) warnings from mach-omap2/built-in.o
  ARM: OMAP2: Add missing include of linux/gpio.h
  ...

* git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-2.6-fixes:
  GFS2: Processes waiting on inode glock that no processes are holding

Merge branch 'fbdev-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/fbdev-3.x

* 'fbdev-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/fbdev-3.x:
  video: Fix use-after-free by vga16fb on rmmod
  video: Convert vmalloc/memset to vzalloc
  efifb: Disallow manual bind and unbind
  efifb: Fix mismatched request/release_mem_region
  efifb: Enable write-combining
  drivers/video/pxa168fb.c: add missing clk_put
  drivers/video/imxfb.c: add missing clk_put
  fbdev: bf537-lq035: add missing blacklight properties type
  savagefb: Use panel CVT mode as default
  fbdev: sh_mobile_lcdcfb: Fix up fallout from MERAM changes.

* 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
  vfs: make unlink() and rmdir() return ENOENT in preference to EROFS
  lmLogOpen() broken failure exit
  usb: remove bad dput after dentry_unhash
  more conservative S_NOSEC handling

This reverts commit a559d2c8.

Turns out that device id 0x1d6b:0x0002 is a USB hub, which causes havoc
when the option driver tries to bind to it.

So revert this as it doesn't seem to be needed at all.

Thanks to Michael Tokarev and Paweł Drobek for working on resolving this
issue.

Cc: Paweł Drobek <pawel.drobek@gmail.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>